Magecart Group 5 Linked To Carbanak APT Group, Researchers Say

• By analyzing the domains and email addresses used by the Magecart Group 5, researchers were able to identify several domains that are connected to the Dridex campaigns.
• Especially, a specific email address was found to be used for registration of domains for various Dridex phishing campaigns.

Context

Researchers from Malwarebytes have analyzed the domains and activities of Magecart Group 5 and have determined connections to the Carbanak group and Dridex phishing campaigns.

Magecart Group 5’s modus operandi

Magecart Group 5 targets the supply chain used by e-commerce sites to load various libraries, analytics, or security seals.

• The group’s attacks are primarily aimed at compromising a third-party supplier in order to impact hundreds of thousands of websites.
• The group’s attack vector is a highly obfuscated skimmer script that exfiltrates payment card data such as credit card number, expiry date, and CVV from customers who purchase from one of the compromised stores.

Links to Carbanak group and Dridex campaigns

By analyzing the domains and email addresses used by the Magecart Group 5, researchers were able to identify several domains that are connected to the Dridex campaigns.

Especially, the guotang323@yahoo[.]com email address was found to be used to register domains for various Dridex phishing campaigns, including

• corporatefaxsolutions[.]com domain used in Corporate efax campaign targeting Germans
• onenewpost[.]com domain used in OnePosting Dridex campaign
• xeronet[.]org domain used in Xero phish Dridex campaign

Furthermore, Dridex loader was found delivering Carbanak malware for companies and high-value targets.

“Victimology also helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit.

In contrast, we believe that the bigger breaches that reel in a much larger prize are conducted by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground,” researchers concluded.